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Abstract —We present a secret key agreement (SKA) protocol 
for a multi-nser time-division duplex system where a base-station 
(BS) with a large antenna array (LAA) shares secret keys with 
users in the presence of non-colluding eavesdroppers. In the 
system, when the BS transmits random sequences to legitimate 
users for sharing common randomness, the eavesdroppers can 
attempt the pilot contamination attack (PCA) in which each of 
eavesdroppers transmits its target user’s training sequence in 
hopes of acquiring possible information leak by steering beam 
towards the eavesdropper. We show that there exists a crucial 
complementary relation between the received signal strengths at 
the eavesdropper and its target user. This relation tells us that the 
eavesdropper inevitably leaves a trace that enables us to devise 
a way of measuring the amount of information leakage to the 
eavesdropper even if PCA parameters are unknown. To this end, 
we derive an estimator for the channel gain from the BS to the 
eavesdropper and propose a rate-adaptation scheme for adjusting 
the length of secret key under the PCA. Extensive analysis and 
evaluations are carried out under various setups, which show that 
the proposed scheme adequately takes advantage of the LAA to 
establish the secret keys under the PCA. 

Index Terms —Channel estimation, information leakage, large 
antenna arrays, multi-user, pilot contamination attack, secret key 
generation, time division duplex. 


I. Introduction 

The broadcast nature of wireless medium makes wire¬ 
less communications especially vulnerable to various security 
threats such as eavesdropping, impersonating, and message 
modification. However, by establishing secret keys between 
legitimate terminals through a secret-key agreement (SKA) 
protocol, such threats can be efficiently nullified. To this 
end, information theoretic approaches Q-0 for the SKA 
have been proposed and extensively studied. In ||T|, Wyner 
considered a scenario called the wiretap channel in which an 
eavesdropper listens in on communications between legitimate 
terminals over a noisier channel than the one between legit¬ 
imate terminals. In the seminar work, it was shown that a 
pair of legitimate terminals can share a secret key in total 
ignorance of the eavesdropper with group codes. Later, Csizar 
and Korner |[^ generalized the Wyner’s original work in |T]. 
Motivated by the results, a great deal of research has been 
conducted on SKA over various types of wiretap channels 0- 
m- However, such SKA schemes seem impractical as most 
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of studies on code design for wiretap channels are limited to 
the cases with asymptotically long block lengths GD-IID and 
the assumption of noisier eavesdropper’s channel may not be 
guaranteed in many cases. In addition, to determine secrecy 
rates, eavesdropper’s channel quality and/or statistics must be 
a priori known. 

Meanwhile, it was shown in Q that a secret key can 
be shared with public discussion even if an eavesdropper 
has a better channel provided the legitimate terminals have 
knowledge of the eavesdropper’s channel quality. In addition, 
a practical sequential SKA protocol was introduced by Maurer. 
The scheme is designed to sequentially perform the following 
three phases: the advantage distillation ffl, information recon¬ 
ciliation and privacy amplification iTS) phases. The first 
phase, i.e. the advantage distillation, enables the legitimate 
terminals to share correlated random sequences with a higher 
correlation than the one an eavesdropper acquires even under 
the condition that neither of the legitimate terminals has 
an advantage compared to the eavesdropper. In the infor¬ 
mation reconciliation phase, the legitimate terminals make 
their correlated random sequences identical by exchanging 
information over public channel. Finally, each legitimate ter¬ 
minal independently performs the privacy amplification on the 
identical random sequence to generate a secret key which the 
eavesdropper is completely ignorant of. The SKA scheme is 
adopted in the quantum key distribution (QKD) protocol GD, 
GZl in which the quantum entanglement is utilized to detect 
possible eavesdropping of the randomness sharing between 
two legitimate terminals. Due to the inherent advantage com¬ 
pared to the eavesdropper, the randomness sharing in the QKD 
protocol can be performed without the advantage distillation 
phase. After the randomness sharing, the protocol performs 
the information reconciliation and the privacy amplification. 
Meanwhile, in wireless communications, there have been a few 
notable efforts 118|-|20| to realize the randomness sharing by 
exploiting wireless channel reciprocity. 

Recently, cellular systems with large antenna arrays 
(LAAfj have been extensively studied due to their attractive 
features |2g-@. On one hand, a high spectral efficiency 
can be achievable since small-scale fading and intra-cell 
interference can be efficiently mitigated by the LAA m- 
| [2^ . On the other hand, from a security point of view, the 
LAA is especially advantageous in the sense that a narrower 
beam formed by the LAA makes the reception at the passive 


*By the LAA, we mean a BS’s antenna array of a number of antenna 
elements and this number is usually much larger than that of users in the cell 
under the service of the BS. 
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eavesdropper significantly weakened. Thus, the secrecy rate 
of wiretap LAA channels grows with the number of transmit 
antennas p4)-p8|. Sum secrecy rates in multi-user MIMO 
system have been studied in Then, the research is 

further extended to a multi-cell setup p8] . These studies show 
that the LAA helps wireless systems to have an advantage 
over eavesdroppers, which is equivalent to performing the 
advantage distillation phase p9| in the randomness sharing. 

This work considers an SKA protocol for the system with 
LAA based on the sequential three-phase protocol. In partic¬ 
ular, the randomness sharing is carried out in such a way that 
the base-station (BS) first acquires a collection of channel state 
information (CSI) between the BS and the multiple users from 
the receptions of orthogonal training sequences simultaneously 
sent by the users during a fraction of coherence block. Then, 
the channel reciprocity ID enables the BS to make a precod¬ 
ing vector for the subsequent downlink data transmission to 
each of users equipped with a single receive antenna. The BS 
transmits different random sequences weighted by precoding 
vectors to the legitimate users during the remaining fraction 
of the coherence time. The time-division duplex (TDD) mode 


significantly reduces the channel estimation overhead |211. 

In this work, we assume that uncoded random sequences 
are transmitted and allows some errors to happen over the 
transmissions. After the downlink transmissions, the BS and 
users end up having correlated random sequences that are not 
necessarily identical due to possible errors in the received 
random sequences. However, the advantage associated with 
LAA enables the shared random sequences between the BS 
and legitimate users to have higher correlations than the ones at 
the passive eavesdroppers when the number of antennas at the 
BS is sufficiently large. Thus, by performing the subsequent 
information reconciliation and privacy amplification phases, 
the BS and users can have identical secret keys in the end. 
The key agreement protocol we consider in this work can be 
understood within the theoretical framework of sender excited 
model (ST), 

However, recently, a serious security weakness of the SKA 
protocol was discussed by Zhou et al in where it was 
pointed out that the precoding for legitimate users in the LAA- 
based TDD system is solely determined by CSI estimates 
based on the uplink training sequences which are exposed to 
active attacks. As a potential attack, the authors in | [3^ studied 
an active eavesdropping attack called pilot contamination 
attack (PCA) in which an eavesdropper transmits the same 
pilot sequence as the one from a target user for the purpose 
of tilting the direction of beam towards the eavesdroppers. 
In particular, by contaminating the pilot sequence, the eaves¬ 
dropper deceives the BS to make a precoding vector which 
steers the beam direction from the target user towards the 
eavesdropper, and the information sent by the BS leaks to 
the eavesdropper. Since the PCA was first introduced in p^ , 
countermeasures to protect wireless communications from the 
PCA have not been well investigated, which motives our work. 
There have been efforts to detect the PCA in p^ , p^ among 
which the authors in p6l studied a PCA detector and an 
estimator of the eavesdropper’s channel. While the detector 
utilizes statistics of the received signals at both BS and the 


target user, the estimator is based only on the ones at the BS 
side. Meanwhile, the work in p4| proposed a PCA detection 
technique which employs random pilots from a set of phase- 
shift keying symbols. In p5j , an SKA protocol under potential 
PCA was proposed and evaluated. However, the SKA protocol 
in p5) is inefficient in the sense that the protocol requires 
multiple coherence blocks and simply discards suspicious 
packets. 

In this paper, based on the three-phase sequential protocol 
we propose a modified SKA protocol tailored for nullifying 
the PCA with assumptions; 1) multiple non-colluding eaves¬ 
droppers equipped with a single antenna attempt the PCA to 
their own targets |36|-p8|, 2) the BS and legitimate users do 
not have any prior knowledge of the eavesdroppers such as the 
number of eavesdroppers in the network, their locations, and 
their transmit powers used in the PCA, and 3) other cells fully 
cooperate in a way not to use the training sequences of the 
users in the process of SKA. Thus, the pilot contaminations 
to the users in the SKA process come only from the active 
eavesdroppers employing the PCA if any. The cooperation 
with other cells can be justified since the SKA session needs to 
be rarely performed as compared to data transmission. Thus, 
the system throughput degradation due to the cooperation 
could be negligible. 

The sequential SKA protocol enables us to establish a secret 
key between legitimate parities even under the PCA if the SKA 
scheme has knowledge of how much information the active 
eavesdroppers have gained about the random sequences trans¬ 
mitted by the BS. However, unfortunately, such knowledge is 
not available. To overcome the technical challenge, the stan¬ 
dard sequential SKA protocol must be modified by introducing 
a mechanism to estimate the amount of information leakage. 

The main idea of the proposed SKA is inspired by the QKD 
protocol ID-ED- The security of QKD is based on the prin¬ 
ciples of quantum mechanics, the no-cloning theorem | |42) for 
example, implying that eavesdropper cannot overhear qubits 
transmitted from a transmitter to a receiver without introducing 
detectable anomalies. In the protocol BB84 p9) , the legitimate 
terminals discuss a certain subset of their measurement results 
to detect the presence of eavesdropping. When eavesdropping 
is detected, the random sequence obtained from this session 
is discarded. We find that the wireless system with LAA has 
a similar property with which the presence of eavesdropper 
can be detected. That is, there is a complementary relation 
between the received signal strengths at the target user and 
eavesdropper. Once an eavesdropper attempts the PCA on 
a target user, the received signal strength at the target user 
becomes weaker than the one expected since the beam formed 
by the BS for the target user is partially steered towards 
the eavesdropper. Thus, the stronger the PCA, the wider gap 
between the signal strength measured at the target user and 
the one expected. In this paper, based on this relation, we 
derive an estimator to measure the CSI between the BS and 
eavesdroppers since the CSI is directly proportional to the 
amount of the information leakage. Then, the BS and the 
legitimate users can adjust the lengths of secret keys according 
to the estimated amount of information leakage contrary to 
the protocol BB84 p9) where the generated secret keys are 
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discarded when eavesdropping is suspicious. Performances of 
the proposed scheme are evaluated by conducting comparisons 
in numerical and analytic ways in various environments. The 
main contributions of this paper is summarized as follows; 


1) We first introduce the proposed SKA protocol to defend 
wireless systems with LAA against the PCA. The impact 
of the PCA on the performance of the SKA scheme 
is analyzed in terms of average signal-to-interference- 
plus-noise power ratios (SINRs) at the target user and 
eavesdropper. The analysis results clearly show the com¬ 
plementary relation between the average SINRs at the 
target user and eavesdropper. 

2) Based on the complementary relation, we derive an es¬ 
timator for the purpose of estimating the eavesdroppers’ 
channels, i.e. the ones between the BS and eavesdrop¬ 
pers. It will be shown that the estimation results can 
be utilized for estimating the amount of information 
leakage during the randomness sharing. 

3) We evaluate average secret key lengths when the esti¬ 
mate of information leakage is provided to the sequential 
SKA protocol which adaptively determines the length 
of resulting secret key. Performance evaluations show 
that the secrecy outage probability, i.e. the probability 
not to achieve perfect secrecy, decreases exponentially 
fast with the number of antennas. In addition, it will 
be shown that a stronger PCA ironically results in a 
better system performance, i.e. a lower secrecy outage 
probability due to the complementary relation. 

4) Comprehensive performance evaluations are carried out 
to see trade-offs between the outage probability and 
average secret key length with different combinations 
of system parameters, such as the number of users, 
the number of antennas at the BS, and the lengths of 
random sequences. The results of performance evalua¬ 
tions enable the system designer to choose appropriate 
parameters to meet various system requirements. 


The rest of the paper is organized as follows. In Section [11] 
we describe the scenario under investigation which includes 
the proposed SKA protocol, an adversary model, and channel 
models. In Section III the complementary relation of the 
received signal strengths is analyzed by investigating average 
SINRs at the legitimate user and eavesdropper. Based on the 
relation, an estimation scheme for the amount of information 
leakage to eavesdropper is proposed and analyzed. In Sec¬ 
tion IV performance evaluations for the proposed estimation 


scheme are carried out in terms of a normalized mean-square 
error. In addition, the secrecy outage probability and the 
average length of secret key are extensively evaluated with 
various combinations of design parameters. Finally, we make 
conclusions in Section lYl 

Notation: Bold face upper and lower case letters are used 
to denote matrices and vectors, respectively. Transpose and 
Hermitian are denoted by (•)^ and (•)^^, respectively. We 
use [a;]+ for max{0,a:}. Om and 1m denote the M x 1 all 
zero vector and M x M identity matrix, respectively. We 
use II-11 for the Euclidean vector norm. A probability density 
function (pdf) and a conditional pdf are denoted by /(•) and 


/(•j-), respectively. When the pdf and the conditional pdf are 
parameterized by an unknown parameter 6, they are denoted 
by and respectively. 


II. Secret Key Agreement Scheme 
A. System model 

We consider a TDD-based cellular system where a base 
station in each cell, called Alice, aims at establishing different 
secret keys with K legitimate users in the presence of Ke 
active eavesdroppers. Alice has an array of a large number 
of antennas, say M antennas, while each of K users has 
a single antenna. Fig. |l(a)| illustrates an example where the 
fc-th legitimate user is in the SKA session over a wireless 
channel, and the f^-th eavesdropper attempts the PCA to the 
fc-th legitimate user over a different wireless channel. 

The wireless channels in this work experience both small- 


scale and large-scale fading. In Fig. 1(a) the channel realiza¬ 
tion at the j-th coherence block between Alice and the fc-th 
user is given by y/Pkjitkj. Here, y/f3k,j accounts for the 
nonnegative large-scale fading factor determined by path-loss 
and shadowing, which are slowly varying over time, while hkj 
is an M X 1 vector representing the small-scale fading and 
varying faster than the large-scale fading factors. We assume 
that the large-scale fading factors, y/ /3k,j’& for 1 < k < K 
are public information a priori known to everyone including 
eavesdroppers. Meanwhile, it is assumed that the small-scale 
fading factor, h^ j’s follow CA/^(Ojv/, Im) are statistically 
independent and identically distributed (i.i.d.). In addition, 
we assume block fading channels, i.e. h^j’s are static over 
a coherence block and i.i.d. across coherence blocks. The 
proposed SKA protocol is performed within one coherence 
block, and thus we will omit the coherence block index j for 
simplicity throughout this paper. Contrary to the large scaling 
fading factors, only the statistical properties of the small scale 
fading factors are known to everyone. Thus, each realization 
of hfc is unknown and must be estimated if needed. Similarly, 
the wireless channels between Alice and the eavesdroppers 
are modeled as £ S iTg}, where y/]3f and 

are the large- and small-scale fading factors, respectively. Note 
that the coherence block index j is omitted as aforementioned. 
Contrary to the legitimate users’ channels, it is assumed that 
the large scaling fading factors /3| is known only to the 
eavesdroppers, i.e. not available to the legitimate users and 
Alice. 

For the cellular system, we consider the proposed SKA 
protocol summarized in Fig. |l(b)| which consists of common 
randomness sharing, information reconciliation, information 
leakage estimation and privacy amplifications. In this section. 


the building blocks of the proposed scheme in Fig. 1(b) 
are introduced in detail except for the information leakage 
estimation which will be discussed in Section nni 


B. Common Randomness Sharing (CRS) 

1) Uplink Training: The CRS is initiated by users who want 
to establish secret keys. As the first step of the CRS, K users 
simultaneously transmit orthonormal training sequences at the 
beginning of a coherence block so that Alice can estimate 
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CSI of each user, i.e. h^. In particular, the legitimate users 
transmit Alice, where is the uplink training 

power, t/jT. is a 1 X 7V„ binary orthonormal training sequence, 
i.e. ~ = 0 for k ^ i, and k and i are in 

1C = {1,2,.. ., K}. Here, (i.e., the length of orthonormal 
training sequences) is usually larger than or equal to K. 

Meanwhile, for the PCA, the eavesdroppers inject their 
target users’ training sequences perfectly synchronized with 
the uplink training sequences originated from the legitimate 
users. Then, the received signal at Alice becomes 

Y = E \/puPk^u^k'^k ^ ^ + U, (1) 

keK eee 

where S = {1,..., K^} is the index set of eavesdroppers, p| 
is the PCA power of the £-th eavesdropper, U is an M x 
Nu noise matrix in which each entry is independent zero- 
mean circularly-symmetric complex Gaussian (CSCG) with 
unit variance. 

Since we assume multiple non-colluding eavesdroppers in 
a cell, it is conceivable that multiple eavesdroppers may 
perform the PCA to a target user. This is however of no 
benefit to the non-colluding eavesdroppers since they are in a 
competition to pull the user beam towards them, and thereby 
the amount of information leaked to each eavesdropper de¬ 
creases. Furthermore, if an eavesdropper performs the PCA on 
multiple users simultaneously, it will receive a superposition of 
multiple signals and its eavesdropping performance becomes 
interference-limited as when a signal to a user is to be detected 
or decoded, the other signals (to the other users) become 
interfering signals. 

Thus, throughout this paper, we consider the best case 
scenario for eavesdroppers as follows: 

• An eavesdropper does not attempt the PCA targeting 
more than one user at a time, and 

• A user is not targeted by more than one eavesdropper at 
a time. 

The assumptions guarantee that there are at most K eavesdrop¬ 
pers in a cell, i.e. < K, and each of them has its unique 


target. In this work, without loss of generality, we assume that 
K = £, i.e. Kf, = K and the Ic-th legitimate user is attacked 
by the fc-th eavesdropper. Hereafter, the fc-th user and the fc-th 
eavesdropper are called Bob and Eve for short when there is 
no risk of confusion. 

Since Alice does not know the CSI for the legitimate users, 
she has to estimate the CSI based on the received signal, Y. 
Due to the orthonormality, = Yt/?^ is a sufficient statistic 
for estimating the CSI for Bob, i.e. h^, which is expressed as 


yfc = -f Ufc, for/c e/C, 


where Ck = PuPkNu, Ufc = and 


Wk 



for k G 1C. 


( 2 ) 


(3) 


In (|^, Wk G [0, cx)|^ represents the ejfective strength of the 
PCA to Bob, and the case of Wk = 0 implies passive eaves¬ 
dropping. We employ a minimum mean-square-error (MSE), 
or MMSE estimator to estimate p3l , p4l which is 


hfc = 


1 -I- (1 -I- wl) Ck^^' 


(4) 


Note that the estimator in Q requires the knowledge of Wk 
that is, however, not available to Alice. Thus, when Alice is 
not aware of the PCA, she has the estimate, in 0 with 
Wk = 0, which becomes 


hfc = yfcv^/(l + Cfc)- 


^We exclude > 1 since an eavesdropper considered in this paper aims 
to eavesdrop a secret key between Alice and a target without revealing its 
presence. Nevertheless, the eavesdropper may increase its uplink training 
power by > 1. In this case, the attack can be detected by the target 
user immediately |26| , and Alice and the target user can avoid such an attack 
by establishing a new wireless channel to generate a secret key. 
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2) Downlink Transmission: In the downlink transmission, 
Alice generates K binary random sequences of length N},, 
denoted by • ■ ■, for k G 1C, which are 

then mapped into a modulated sequence of length Nd, denoted 
by qfc = [qk.i, ■ ■ ■ ,qk,NaV, where qk,j G C, 1 < j < Nd- 
Alice simultaneously sends weighted by precoding vectors 
in the form of ^k^ik for all k G 1C, where pd is the 

downlink transmission power, and ak is an M x 1 precoding 
vector for Bob. The average power of q^, is normalized to be 
;ji^E[||qfe|p] = 1. The precoding vector a/j is determined as 
a function of h^, i.e = (p{h.k) where tp{-) is a precoding 
vector generating function that could be chosen in different 
ways. In this paper, we consider the matched filter (MF) 
precoding to gain more insights into the proposed systerr0 

Ak = for k G 1C. (5) 

llh.|| 

Meanwhile, at the receiver side, without loss of generality, 
we assume that the received signal of each user is normalized 
by y/pdPkM for k G 1C. Then, the normalized received signal 
vector for Bob is given by 

= i'vw )+g {'§§) '=• 

( 6 ) 

where Zk is an Nd x 1 zero-mean CSCG noise vector with 
covariance matrix {pd/3kM)~^lN- We define an effective 
downlink channel gain (EDCG) from Alice to Bob as pk = 
^^h^ak which leads to the following simplified expression 
of Tfc: 


f/c = 9k^k + rife for k G 1C, (7) 


where tife = + Zfe- In Appendix 

that h^ai for k £ follows CAf{0, 1). Thus, the 
follows CA/’(Ojv^,where 


show 


ast term, rife 


a 


2 

fife 


1 

M 


(^K-l + 



( 8 ) 


Following a similar approach, we have the normalized 
received signal vector for Eve as 



Note that no noise is assumed in the normalized received 
signal vector for Eve, which leads to an unfavorite scenario 
to Bob and Alice. Thus, the sum of interference due to the 
downlink signals to the other users is only the factor to impair 
recovering qfe from r|. In addition, the assumption allows us 
not to care for the the locations of the eavesdroppers. The 
received signal at Eve, can also be simplified to 


ffc = SfeQfc + rife for kGS, (10) 


where a.^ is the EDCG from Alice to Eve, 

and )q£ whose distribution is given by 

JatJ with erg ^ = {K - l)/M. In Eig. |I^ 
the received signals rfe and at Bob and Eve, respectively, 
are depicted as the results of the CRS. 


C. Information Reconciliation and Privacy Amplification 


After the CRS, secret keys are extracted from the shared 
randomness through the information reconciliation and privacy 
amplification phases, which requires knowledge of informa¬ 
tion leakage to eavesdroppers by the PCA. However, we 
assume that Alice and the K users have no information about 
eavesdroppers. In this section, we first review the information 
reconciliation and privacy amplification phases shown in Eig. 


1(b) and then discuss how such missing information hinders 
the phases from generating secret keys. 

In the information reconciliation phase, Alice sends parity 
bits over an authenticated public channel to the users who 
need to correct errors occurred in the CRS. In the CRS, 
Alice transmits to Bob a sequence qfe that arrives at Bob 
and Eve who have received sequences rfe = (rfe i,..., rk,Na) 
and = (r 


fc.l’ ■ ■ • > ' k,Nd 


), respectively. After the randomness 
sharing, Alice and Bob can have shared information which 
amounts to I{C\k] R-fc) where Qfe and Rfe are random vectors 
corresponding to the realizations qfe and rfe, respectively. 
The uncertainty between Qfe and Rfe must be resolved to 
make them identical in the information reconciliation phase. 
According to the Slepian-Wolf theorem | |45) , the information 
reconciliation requires at least Vk = i7(Qfe|Rfe) = H{Q,k) — 
I{Q,k', Rfe) bit exchanges over the public channel. While either 
Alice or Bob can generate and transmit the parity bits, this 
work assumes that Alice sends the parity bits since Alice 
already has the estimated CSI. Then, Alice and Bob can have 
an identical sequence, qfe which turns into the binary sequence, 
bfe of length A), = H{Qk)- However, the sequence is not 
secure from eavesdropping due to the information leakage, 
denoted by Efe, during the first two phases, i.e. the CRS and 
information reconciliation phases. Alice and Bob extract a 
secret key from Qfe by performing the privacy amplification 
process which eliminates the amount of eavesdropped infor¬ 
mation, Efe, from i7(Qfe). This can be done by using a hash 
function, Gk G Q : {0,1}^'’ —>■ {0,1}'*'', randomly chosen 
from a family of universal hash functions, Q ph) where Sk is 
the length of secret key, Sfe. If we determine Sk such that 


Sk = [Nd{I(,Qk] Rk) - I{Qk] Rl)} - 2afe - 2 - 6fe]+ , 

( 11 ) 

where Qk and i?! are the i.i.d. random variables representing 
the components in the random vectors, Qfe and R^, respec¬ 
tively, it is guaranteed that, for a sufficiently large Nd, the 
eavesdropper’s uncertainty about the secret key, denoted by 
i7(Sfe|Gfe, Efe), is bounded by 


^In general, two linear precoding schemes, MF and MMSE precoding 
methods, are of practical interest )43| . Our main results are also valid with 
the MMSE precoding, but its complicated expression may make it harder to 
understand essentials. 


iT(Sfe|Gfe,Efe) > Sfe - with probability 1-2 

( 12 ) 
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By appropriately choosing ak and bk, we can obtain a suffi¬ 
ciently long secret key with the eavesdropper’s uncertainty that 
can be arbitrarily close to Sk, which implies perfect secrecy. 

However, the standard sequential SKA protocol cannot be 
directly applied to our scenario due to the assumption, i.e no 
prior knowledge about the eavesdroppers. In particular, the 
problems are as follows: 

1) Unknown The required i^k for the information recon¬ 
ciliation is derived from I{Qk',Rk) which is a function 
of CSl between Alice and Bob. However, once the 
training sequence sent by Bob is contaminated by the 
PCA, Alice would have a poor estimate of the CSI, 
and its corresponding i^k may not be enough for Bob 
to decode q^.. 

2) Unknown I{Qk', Rl)' Due to unknown CSI between Al¬ 
ice and Eve, Alice and Bob cannot measure I{Qk', Rl)- 
Thus, the standard sequential SKA protocol cannot de¬ 
termine the length of secret key in o to achieve perfect 
secrecy. 


The first problem of unknown Vk can be resolved by 
exchanging additional messages between Alice and Bob. For 
example, if a rateless Slepian-Wolf code is employed, Alice 
can repeatedly send additional parity bits to Bob until Bob has 
a sufficiently large number of parity bits to make identical 
to qfc and sends an acknowledge message to Alice. In this case, 
although a certain amount of overhead is inevitable, the rate¬ 
less Slepian-Wolf codes can be a practical solution since they 
do not require instantaneous CSI between a transmitter and 
a receiver. Thus, throughout this paper, we assume that Bob 
can perfectly recover q^ using a rateless Slepian-Wolf code. 
The practical design and optimization of rateless Slepian-Wolf 
codes are presented in ||47|, ||48|. 


However, unknown I{Qk] R^) is still problematic. Since the 
eavesdroppers will not reveal their presence and information 
about the PCA, a mechanism must be introduced into the pro¬ 
posed scheme to estimate I{Qk]Rk), which is realized in this 
work by taking advantage of a trace left by the eavesdropper 
during the PCA. To be precisely. Bob is suspicious of the PCA 
if its received signal strength unexpectedly drops during the 
CRS. Then, Bob can estimate I{Qk\R%) by comparing the 
received signal strength with its expectation. As depicted in 
Fig. 1(b) the estimation results, denoted by g^, are provided 
to the privacy amplification, which in the end generates secret 
keys as the final results of the proposed SKA protocol. The 
details of the proposed method will be introduced and analyzed 
in the following sections. 


Before finishing this section, a few practical issues should 
be discussed. In fast fading environments, the proposed SKA 
protocol may result in a considerable overhead to establish 
a secret key at a sufficiently long length. In such a case, 
there might be a trade-off between the data throughput and 
key renewal rate for a given secret key length. In addition, an 
unexpected drop of the received signal strength can happen due 
to user mobility or sudden environment changes, which may 
introduce a false alarm and thus degrade the performance of 
the proposed SKA protocol, i.e. the average secret key length. 


HI. Estimation of Information Feakage 

In this section, we first investigate an inevitable comple¬ 
mentary relation between SINR’s at Bob and Eve, i.e. the 
increase of SINR at one party must result in the decrease of 
SINR at the other. Based on this complementary relation, we 
propose an estimator of the EDCG from Alice to Eve (i.e. pp, 
which allows us to estimate the information leakage to Eve, 
I{Qk', Rk)- The crucial complementary relation also promises 
a better estimation result for a stronger PCA. 


A. The Impact of PCA on Average SINRs 

The average SINRs at Bob and Eve, denoted by SINR^ and 
SINR^, are defined as 

SINRfc ='E[{gkqk)H9knk)]/{NdE[nlnk]), and 
SINR^. = E[(p^q,)t( 5 ^,q,)]/(Ar,E[nf n^]). 


Then, the average SINRs are derived in the following result. 

Theorem 1: When Bob and Eve receive the signals in Q 
and ( [Tol l, respectively, their SINR’s are given by 


SINRfc = 
SINR^ = 


Mck -f rCfeCfc -I- 1 
(1 -I- (1 -I- wl)ck){K - 1 -f 
Mwlck -I- Cfc -I- 1 
{1 + il + wl)ck){K - 1 )' 


and 


(13) 

(14) 


Proof: See Appendix |B| ■ 

Remark 1: By letting Wk 0, the results in Theorem [T] 
turn into the ones for passive eavesdropping. Then, we have 
SINRfe = “d SINR^. = which 

shows that SINR^ grows with the number of antennas, M. 
On the other hand, SINR^ does not depend on M. Thus, the 
length of secret key can be increased by employing more 
antennas at Alice under the passive eavesdropping. While 
similar results can be found in 1^-1^, the results in the 
work are different from the previous ones in that the signals 
for the other K —1 users in our model act as interference and 
preclude the eavesdropper from taking information. 

The ratio of SINR’s at Bob and Eve is readily approximated 
as 7 fe = SINRfc/SINR^ « l/wl when AT > 1 and M > 1. 
The ratio clearly shows that the SINR at Bob is inversely 
proportional to the effective strength of the PCA, Wk, which 
leads to a better SINR at Eve. While the results in Theorem 
describe the average behavior of SINR, the instantaneous 
amount of information leakage in each SKA protocol is not 
provided. In the next subsection, bearing the complementary 
relation in mind, we will derive an estimator of the EDCG 
from Alice to Eve, which in turn gives us an instantaneous 
estimate of the information leakage to eavesdroppers. 


B. Estimation of Eavesdropper’s Channel 

According to the amount of information leaked to 
Eve, I{Qk',Rk), is readily found by Bob when the EDCG 
from Alice to Eve, is known to Bob. To this end, in this 
subsection, we derive an estimator for g^. The estimation of g^ 
is carried out by fulfilling a series of estimations: 1) maximum- 
likelihood estimation (MLE) for Wk 2) MMSE estimation for 
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gk, and 3) MMSE estimation for gf., where their estimates are 
denoted by Wk, gk, and g^, respectively. The estimation results 
from the first two steps are used as unknown parameters in 
the estimations of g^. 

The main idea behind the proposed estimator is to ex¬ 
ploit the complementary relation between the received signal 
strengths at Bob and Eve, which results in an unexpected drop 
of signal strength at the target user when the PCA is attempted 
to Bob. The difference between the received signal strengths 
and his expectation will be used to estimate g^. However, the 
CSI of the channel from Alice to Bob is unknown to Bob and 
thus he does not know his expected signal strength. To resolve 
this issue, as shown in Eig. l(b)| Alice sends side information 
Cfe = Ilyfcll for k G JC, i.e. the strengths of her received signals 
right after the information reconciliation phase. 

1) Estimation ofwk-' With the side information (k and the 
normalized received signal vector at Bob in (|^, we can derive 
the MLE, Wk, as 


Wfc = argmax/(rfc|qfc,Cfc;wfe), (15) 

Wk 

where is given by the information reconciliation using a 
rateless Slepian-Wolf code. The pdf f{rk\cik,Ck',Wk) in 
can be factorized as 


firk\cik,Ck;wk) 

= j f{^^k\<\k,C,k,gk■,Wk)f{gk\^.k,C,k■,Wk)dgk 

- / f{tttk\^k,gk\Wk)f{gk\(,k\Wk)dgk, 


(16) 


where (a) is due to the facts that is independent of Wk and 
C,k for a given gk, and gk is independent of q^. 

Note that finding Wk by substituting into •ED requires 
an exhaustive search as there is no closed-form solution. 
It may be impractical to find the estimate by performing 
numerical integrations, especially when the users suffer from 
limited computing power and/or power resources. Thus, we 
approximate the MLE of Wk by taking one of the key features 
of systems with LAA, i.e. the randomness caused by fading 
and noise vanishes as the number of antennas increases 
| [23| . The following theorem describes the asymptotic behavior 
of gk as M —>■ oo. 

Theorem 2: Under the PCA with Wk, as M increases, gk 
converges to fj.g^ = ^ in probability for a given 

Cfe- 

Proof: See Appendix [C] ■ 

Thus, by applying Theorem to ( [Tbl l, we have 
/(rfc|qfc,5fe;u'fe) ^ /(ffelqfc.MgU'^fe) in probability for a 
large M. This result allows us to have a simpler MLE 
of Wk- That is, the value of Wk for which the derivative 
of /(rfc|q^:,/ig^;Wfc) with respect to Wk is equal to zero 
corresponds to Wk- After some manipulations, we obtain a 
closed form expression for Wk as 


Wk = 




n + 


Cfe 




s/ckM 


- 1 + 




(17) 


2) Estimation of gk-' The MMSE estimator for gk, i.e. gk = 
E [gk\rk, q.k,Ck;wk] can be derived as 


4qfe 


gk = 


9k 


qlqfe 




(18) 


The details of the derivation are given in Appendix]^ 

3) Estimation of g^: The MMSE estimator for is ob¬ 
tained by taking the conditional expectation of g^ given the 
known parameters, r^, q^, and (k p3] . That is, g^ is given 

by 


fffe = E[gfc|rfc,qfc,Cfc;iUfe], 


(19) 


which is derived in the following theorem. 

Theorem 3: Eor given r^, q^, and Ck, the MMSE estimator 
for g^ is given by 

WkC-k f Ck 


gk = 


gk 


( 20 ) 


1 + wlck \s/ckM 

where gk is the MMSE estimate of gk in ( [T8] l. 

Proof: Erom ( [T9] l, we can find g^ by conducting a serious 
of decomposition as follows: 

9k = J gkf{gk\^k,cik,Ck;wk)dgl 

= j 9 k j f{gk,gk\rk,(lk,C,k-,Wk)dgkdgl 

= j 9 k j /( 5 fcl 5 fe,rfe,qfe,Cfe;wfc) 

/(Sfekfe: qfe: Cfe; Wk)dgkdgl 
gl / f{gk\gk,C,k-,Wk)f{gk\Yk,(\kXk-,Wk)dgkdgl 


(a) 


{b) 


gkf{gk\gk,c,k]Wk)dgl 


f{gk\rk,<^k,C,k-,Wk)dgk 


(c) WkCk ( Ck 


1 + wlck \s/ckM 


-E[gk\rk,qk,Ck;wk] 


( 21 ) 


where (a) is from the fact that g^ is independent of and 
qfc for given gk and Ck, (b) is from the Eubini’s theorem that 
allows us to change the order of integration, (c) is from the 
fact that / gt:f{gl\gk,Ck]Wk)dgl = g-c derived in Appendix 
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Remark 2: The expression for g^ in (20i shows that the 
estimator exploits the complementary relation as expected. 
That is. Bob first tries to estimate gk, and then g^ by comparing 


the estimate of gk with its expected value. 


Ck 


Thus, for a 


given Ck, the smaller gk Bob has, the larger the estimator 
produces. In the end, the PCA is detected with the higher 
probability. It should be noted that while we do not discuss in 
this work, a detector can be derived with the result in ( |20| ) 
with which the shared random sequence can be discarded 
when eavesdropping is detected as the BB84 protocol does. 
In the evaluations of the g^, the unknown parameter Wk will 
be replaced with the estimated one, Wk in ( flTj i. 

In Section |IV] the performances of the proposed estimator 
in ( |20l i will be evaluated in terms of the MSE p3] which is 
derived in this subsection. Let us first rewrite the estimate of 
gk as gk = gk — ^k.i, where ek,i is the MMSE estimation 
























error of gk- Then, the MMSE estimator for gf. in ( |20| ) can be 
rewritten as 


9k = 

(a) 


1 + wlck 


Ck 


— gk + Ck,! 


= H9t\Ck,9k] 


— 9k~ fife,2 + 


VckM 

'^k^k 

+ T“|-2— 

1 + wf.Ck 


^k^k 


1 


wlck 


Cfc.i — gl ~ efc.2 + e^^i, 


( 22 ) 


where (a) is due to the fact that the conditional mean value 
of gl for given g^ and Cfc is - 9k) as shown 

in Appendix [P] and 2 is dehned as the MMSE estimation 
error of g^. when gk is perfectly known to Bob. Thus, the MSE 
of g^. becomes 


H\9k- 9l?-,Wk] 
= E[|efc,2p] 


= E[|efc,2l1 + 


■E[|e'fc,iP]-2E[5ft{efeX,i}] 


1 + wlck 


E[|efc,i 


where (a) is from the facts that ek ,2 is independent of ek,i, 
and E[efc i] = 0 for i = 1, 2 since the MMSE estimation error 
is Gaussian with zero mean |43|, ||4^. Note that E[|efc_ 2 p] 


and E[|efe^ip] correspond to the conditional variances of 
g^ and gk with respect to the pdfs f{gk\Ck, gk',Wk) and 
f{9k\^k,(ikXk',Wk), respectively, which are derived in Ap¬ 
pendices]^ and respectively. Then, the MSE of g^ is hnally 
given by 


m9k - 9k?-,Wk] 


(1 + wlck)M 


1 

M 


+ 


1 + wlck 




/ WkCk 


qlqfc + 

2 


1 + wlck 


l + {l+w1.)ck 


(23) 


(if-i-i- 


Pdf<k) 


where is taken from (j^. The MSE in (23 1 looks inversely 
proportional to the number of antennas, 

Remark 3: Before closing this sub-section, it should be 
noted that Alice can also transmit downlink pilot signals which 
may help Bob to estimate the EDCGs, gk, and gj:. Such a two- 
way training strategy gg, is especially helpful under fast 
fading environments where the length of random sequence 
is limited due to the short coherence time interval. Since the 
proposed scheme estimates the EDCGs based on the random 
sequence q^, the limited length of random sequence results 
in poor estimates of gk and In such a case, it may be 
benehcial to allocate a portion of the downlink transmission 
to the downlink pilot signals, which signihcantly improves the 
estimates. While the two-way training strategy reduces the 
length of random sequence, the better estimates of EDCGs 
may offset the decrease of the length of the random sequence. 
Thus, by carefully allocating the downlink transmission to the 
pilot signals and random sequence, a longer secret key may 
be achievable. As another practical issue, we may need to 
consider that while this work assumes the perfect channel 
reciprocity, the uplink and downlink channels may change 


during the key sharing process, which increases the channel 
estimate error. The analysis with the channel variation can 
be conducted by modifying the derivations for the estimation 
errors derived in this section. 


C. Secret Key Generation 

We can now estimate I{Qk]R%) in ( [TT] i by replacing the 
true value of g^. with its estimate, derived in the previous 
subsection. Let us denote the estimate of I{Qk', Rk) based on 
9k ^{Qk',Rk) "'ith which the length of secret key is now 
adaptively determined as 

4 = [Nd{I{Qk\Rk) - I{Qk-,Rl)} -2ak-2- 6fc]+ (24) 
= [Nd{HiQk\Rl) - H{Qk\Rk)} - 2ak - 2 - 4] + 

> [Nd{HiQk\Rl) - uk} -2ak-2- 4] + , (25) 

where R% = gkQk+Nk is the output from an AWGN channel 
with gain g^ and Gaussian noise Nk, and Vk > H{Qk\Rk) 
is the number of parity bits exchanged in the information 
reconciliation phase. Later in the performance evaluations, we 
assume that Vk equals H{Qk\Rk), and the equality holds in 
(j^. However, the estimation error in gf. may result in an un¬ 
derestimate of I{Qk', Rk)- According to a secrecy outage 
occurs when the true value of g^ is greater than its estimate, g^. 
In this case, Alice and Bob fail to make the generated secret 
key completely secure from the eavesdropping. To analyze 
how often the proposed SKA protocol causes the outage event, 
we evaluate the secrecy outage probability, i.e Pr(|g^| < |p|.|). 

We introduce to the SKA protocol a design parameter called 
a secrecy margin, 5 G [0, 00 ) to compensate for the estimation 
error in g^. and define an outage event as 

s = Mri(i+s)^irki^<Kn (26) 

Then, for given Wk and S, the secrecy outage probability is 
expressed as 

Tout (t'/c ; q/c 5 Ck 5 tCk , S) 

= [ f{\9k\^\ttk,cik,Ck;w)d\gl\^. (27) 

Meanwhile, the secrecy margin turns into Rj, = (1 -f 
5)g%Qk + Nk, which decreases the secret key length, Sk in 
•Ej) at the expense of the outage probability. 

Since the pdf f{gl\Yk,(ik,Ck-,Wk) follows CAfa?^) 
as shown in Appendix the conditional pdf 

f{\gt?\ttk,qk,Ck;wk) in (j^ follows a Rice distribution. 
Thus, we can simply express Pout(rfej q/o Cfc! <^) in ( |T7| ) 
as 


Tout (t'fc 5 q/c , Ck 1 tU/j; , S) 


— Qi 






/2|(1 +<5)5^1 


(28) 


9l 


9 k 


where Qi{a,b) = /“a;exp ^ ^ R{ax)dx is the hrst 

order generalized Marcum (^-function, and /o( ) is the zero¬ 
th order modihed Bessel function. By averaging the secrecy 
outage probability in (|28ll with respect to the joint pdf 
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f{rk,cik,Ck',Wk), the average secrecy outage probability is 
given by 

Pout{wk,S) = E[Pout(rfc,qfc,Cfe;t«fe,<J)]- (29) 


SKA protocol with various combinations of design parameters, 
M, K, Nd, and S and show how the parameters affect the 
performances. 


To get more insightful results, we introduce to ( [28] ) an upper 
bound 


Qi{a, b) < exp 


jb-ar 

2 


(30) 


for a < b pT) , p2) . Then, the average secrecy outage 
probability is also bounded as 


Pout{.Wk,S) < E 


exp 


( 1(1 +< 5 ) 5^1 

-I jJ 


(31) 


Now, it is much easier to investigate into asymptotic behaviors 
of the average secrecy outage probability with the upper bound 
in •HD. That is, as M grows, the upper bounds in pT] ) turns 
into 


lim Pout{wk,S) (32) 

M—^oo 


< exp 


(1 + wlck)M5‘^ 

qtqfe(l+u.2cfc)+(iV-l+j^){l + (l+l«2)cfc} 


since g'^ —)■ in probability. 

It can be noticed that the bound in ( [32] i decreases exponen¬ 
tially fast with M, which is possible due to the fact that Bob 
can accurately adjust the length of extracting secret key as g'^ 
gets close to g^. with the growing number antennas. That is, 
even if the beam is tilted toward Eve under the PCA, the LAA 
is still helpful for Bob not only to eliminate the noise/fading 
effects from the received signal but also to estimate the amount 
of information leakage. In Section |IV] we will analyze the 
average secrecy outage probability with various combinations 
of Wk and 5. 


IV. Performance Evaluations 

In this section, we present performances of the proposed 
SKA protocol in both numerical and analytic way^ Through¬ 
out the performance evaluations, we consider the following 
system setup: the ratios of uplink and downlink transmit 
powers (pu and pd, respectively) to the unit noise variance are 
set to 10 dB and 20 dB, respectively. This asymmetric power 
allocation is due to the practical consideration that the power at 
the user side may be limited. Eor the downlink transmission, 
we consider binary random sequences, i.e G { — 1,1}^'^ 
for k G 1C. While binary sequences are considered in this 
work, the results can be readily extended to sequences with 
larger alphabet symbols since all the derivations are in general 
forms. The large scale fading factors, i.e. (3^ and /3|, are set 
to one for all k,i G JC. Einally, the number of symbols in 
the uplink training sequences is assumed to be Ai„ = 100. Eor 
the given setup, we will evaluate performances of the proposed 

'^Although we also perform Monte Carlo simulations, we do not present 
the results in this paper as we confirm that our simulation results are exactly 
the same to the numerical evaluations. 


A. Estimation of 

We first evaluate performances of the estimator g^ in ( |20| ) 
in terms of the normalized MSE (NMSE) defined as 


NMSE = 




(33) 


As a reference, we consider the case that gk is perfectly known 
to Bob. Then, the NMSE becomes 

1 1 


NMSEideal = 


E[|g||2] {l + wlck)M’ 


(34) 


since the perfect knowledge of gk makes Cfc i in ( |221 l zero. 
Thus, the ideal NMSE in ([3^ is a lower bound on the 
NMSE of g^ which is taken as a yardstick in the performance 
evaluations. The NMSE evaluations are carried out with the 
analytic expression of the MSE in ( [23] l and the estimate of 
Wk in ini- To confirm the results, we also find an empirical 
expectation for the NMSE by conducting the e sti mation s of 
gf. and Wk 10^ times at each point in Eigs. 2(a) and 2(b) The 
evaluations from the two different approaches are completely 
overlapped each other, which confirms the derivations in 
Section [111] 

The evaluations of NMSE versus M at different combina¬ 


tions of K and Wk are depicted in Fig. 2(a) where the NMSE 
decreases as either of M and Wk increases as predicted by the 
closed-form expression for the MSE in (|2^. The results in 


Fig 2(a) imply that for a fixed number of antennas, M, Bob 


achieves a better estimation of Eve’s channel g^. when Eve 
attempts a stronger attack, i.e. a larger PCA power wf. in hopes 
of eavesdropping more information about the communication 
between legitimate parties. On the other hand, the increase of 
the number of users, K, induces more interference to Bob and 


thus degrades the NMSE. In Fig. |2(b)| the NMSE evaluations 
are performed with respect to Nd at M = 500, which shows 


the same trends as the ones in Fig. 2(a) It is also noticed that 
the lower bound on NMSE looks independent of Nd, i.e. the 
length of Qfc since Nd affects only the results of gk as shown 
in and the lower bound already assumes the true value 
of gk- The results in Fig. |2(b) show that the performances of 
gl eventually approaches the lower bounds as Nd increases 
since the more samples provide the better degree of accuracy 
in the estimation of gk 143), ig. 


B. Average Secrecy Outage Probability 

In this subsection, we present average secrecy outage prob¬ 
ability of the proposed SKA protocol. As a performance 
benchmark, we also plot the upper bound on Pout{wk,b) by 
introducing another upper bound on the Marcum Q-function: 


Qi{a,b) 

loiab) 


< 


exp(a6) 


exp 


{b-ay 




( 35 ) 
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Fig. 2. NMSE of with different values of M, K, and N^. 




Fig. 3. Average secrecy outage probability, Pout('Wk^ with different parameters for a fixed 5 = 0.1. 


where erfc(x) = ^ exp (— dt. Note that although the 
bound in (|3^ is less insightful than that in ( |30l l, it provides a 
tighter upper bound than that in ( |30| pT), 


_ Fig. 0 depicts the average secrecy outage probability, 
Pout{wk,d), with respect to M and for different values 
of Wk and K when 6 = 0.1. The results in Fig. 3(a) show that 
Pout{wk,d) decreases exponentially fast with M as expected 
from ( [ 32 I 1 . It is also observed that a lower Pout{wk,S) is 
achievable as Wk increases, i.e. a stronger PCA, which is due 
to the fact that a larger Wk allows the proposed estimator 
to have a smaller MSE as derived in ( |2^ , and thereby 
we can reduce the occurrence of secrecy outage events. The 
secrecy outage probability also decreases as Nd increases as 
shown in Fig. |3(b)| w hich is due to a better estimate of gk as 
observed in Fig. 2(b) For a large Nd, Poutiwk,5) eventually 
converges to an certain value which corresponds to the average 
outage probability when the true value of gk is revealed to the 


estimator of g^. 

We now see trade-off relations among different parameters, 
M, K, Nd, and 5, in the average secrecy outage probability by 
investigating the contour plots of Pout{wk,S) in Fig. where 
w1 is set to — 6dB. The results provide a useful reference that 
enables system designers to select appropriate combinations of 
system parameters to meet various system requirements. The 
results in Fig. |4(a)| show that the number of antennas M must 
be almost linearly increased to compensate for the growing 
number of users K to achieve a target average secrecy outage 
probability. The tradeoff between M and K is due to the 
results in ( [3^ where the exponent is inversely proportional to 
M/K for a large Nd- The average secrecy outage probability 
is also analyzed with respect to M and Nd in Fig. |4(b)| where 
it is observed that the performance loss caused by employing a 
smaller size of the FAA can be compensated for by increasing 
Nd to some extent and vice versa. However, as noticed in Fig. 
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(a) Contour plot of PoutitUk, <5) versus M and K when = 1, 000 and (b) Contour plot of Paut{wk, <5) versus M and when K = 100 and 
(5 = 0.1. <5 = 0.1. 



(c) Contour plot of Pout(trifei <5) versus M and <5 when K = 100 and 
Na = I, 000 . 


Fig. 4. Contour plot of Pout (mj;, <5) when = —6 dB 


4(b) the impact of Nd on Pout{,Wk,S) is saturated fast with 


growing Nd- Thus, increasing M is a more effective way to 
reduce Pout{wk, S) when Nd is already large enough. Finally, 
we see the variations of average secrecy outage probability 
with respect to the secrecy margin, S in Fig. 4(c) where it is 
observed that a small change of i5 can exert a large influence on 
Pout{wk,^) since the average outage probability is decreases 
exponentially fast with respect to the square of the secrecy 
margin as shown in ( [32| ). However, it should be noted that the 
smaller outage probability is achieved at the expense of the 
secret key length. We will discuss this issue in detail in the 
next subsection. 


C. Average Length of Extracting Secret Key 

In this subsection, we evaluate the average length of secret 
key in ( |24| ) with respect to different values of M and 5 when 
Nd = 1, 000 and wf. = —6 dB. Note that ak and bk in ( |24| ) 
become negligible for a sufficiently large Nd p?j . Hence, for 


simplicity, we only evaluate Rs{wk,S) = E{[/(Qfc; i?f;) — 
I{Qk', Rk)]^}’ where the expectation is taken over the joint 
pdf of f{rk,(lk,Ck',Wk)- We also evaluate the average secret 
key length when the eavesdropper’s channel, is perfectly 
known to Bob, Rs{wk) = E{[I{Qk-,Rk) - IiQk;Rl)]~'~} as 
a performance benchmark, which elucidates the performance 
loss due to the error in the estimation of 


The average secret key lengths Rs{wk,S) and average 
secrecy outage probabilities Pout{w,S) are evaluated in Figs. 


5(a) and 5(b) respectively, with respect to M for different 


values of K and S. It is noticed that there exists a fundamental 
trade-off between Rs{wk,S) and Pout{wk,S). That is, if we 
increase <5 to achieve a lower Pout{w, S), we have accordingly 
a smaller Rs{wk, S). We can also observe that Rs{wk, S) with 
(5 = 0 achieves almost the same performance of Rs{wk) in 
Fig. 5(a) This result implies that the proposed estimator 
produc es an estimate very close to its true value, g^. However, 
in Fig. 5(b) the corresponding PoutiwkjS) approaches almost 
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Fig. 5. Ra{wi^, (5) and Pout(infc, <5) with respect to M for = 1, 000 and = —6 dB. 


0.5. Note that the estimation result from the MMSE estimator 


for follows a Gaussian distribution | |43| , |44|, and thus 
follows a Rician distribution. While the Rician distribution is 
not symmetric with respect to its true value g^, it becomes 
symmetric as M increases. Thus, for all sufficiently large 
M, Po„t = Pr(|5^| < \gt\) = Pvi\gl\ > \gl\) = 0.5. 
However, for some small M values, the asymmetry of the 
Ricia n distribution makes Pout larger than 0.5 as shown in Fig. 
5(b) However, the results in ([3T]i tell that Pout{w, decreases 


exponentially fast with increasing 6, and thus a small sacrifice 
of Rs{wk, S) is well paid off by a signihcant improvement of 

Fout(tU, . 


In Fig. 5(a) it is also noticed that Rs{wk, S) has a peak after 


which Rs{wk^ S) decreases with growing M. This happens due 
to the fact that both I{Qk\ Rk) and I{Qk', Rk) can not exceed 
1 bit per channel-use (bpcu) and are proportional to the size 
of the FAA as expected from ([T^. Thus, as M grows, the 
Rs{wk, S) has a maximum value and later becomes diminished 
as both I{Qk\Rk) and I{Qk]R%) approach 1 bpcu. 


V. Conclusions 


sequence across cells can be mis-identified as the PCA. In 
addition, the research will further proceed to the cases when 
the channels between legitimate parities and eavesdropper are 
correlated, multiple antennas are employed in eavesdroppers, 
and the channel reciprocity does not hold due to the channel 
variations over time for practical considerations. 

Appendix A 

Consider two M x 1 independent random vectors x = 
[xi,--- ,xmY' and y = [yi,-" )2/m]^ that are zero-mean 
CSCG with covariance matrices ct^Im and respec¬ 

tively. Then, the m-th component of y can be rewritten by 
Vm = for m = I,-- - ,M where C [0, oo) and 

4>Tn S [—TT, tt) follow Rayleigh and uniform distributions, 
respectively. Then, it can be shown 

t = x' = xiTi H-1- xmXm, 

l|y|| 

where x^ = and = —p=Ji^===. Note that 

\/rl + -+rlj 

Xm has the same distribution as Xm due to the circularly- 
symmetric property. The pdf of t is given by 


We studied an SKA protocol with FAA for a multi-user 
TDD system in the presence of multiple eavesdroppers at¬ 
tempting the PCA. By exploiting the complementary relation 
between the received signal strengths at the eavesdropper and 
its target user, an estimator was derived to measure the FDCG 
from the BS to the eavesdropper. From an estimated FDCG, 
the amount of information leakage was quantified, which was 
used to adaptively adjust the length of extract secret key. 
Extensive performance evaluations have been carried out in 
both numerical and analytic ways. We showed that even in 
the case that the eavesdropper can manipulate the FAA by the 
PCA, we can still take advantage of the FAA in the estimator 
and extract a certain length of secret keys with an arbitrary 
low secrecy outage probability. As future research directions, 
we will study a coordinated protocol to detect the PCA in 
a multi-cell scenario, where the reuse of the same training 


fit) = J fit\r)fir)dr 


(a) 


E m 
m—l 


exp -- 


spM ~2 

A^m=l ' H 


/(f)df 


(b) 1 


2 -^ 

TTat V ai 


where (a) is due to the fact that t can be seen as the summation 
of independent complex Gaussian random variables {xm} for 
given f = [fi,--- and (6) is due to the fact that 

_ 2 

Z^m—1 m 


Appendix B 

Since we normalize the average power of to one, we have 
SINRfc = ^ that is determined by the distribution of gk- 
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Based on the orthogonality principle of the MMSE estimation 
p3] , p?) , we can rewrite as follows: 

h^afc (a) (hfc + efc)'f 
9k / / 111'' II ’ 

yM yM ||hfc|| 

where (a) is from at = ^ = , and et is the estimation 

Sfc llhfcll 

error of the MMSE estimation. Note that we have h/j ^ 
CA/'COm, and ~ CAA(Om, 

from the MMSE property | |4^ , | |44| . Then, gk in ( |36| i can be 
rewritten by 


9k = 



(o) 1 


^/M 


ekj 


where (a) is from Appendix 


and Cfc ~ CA/'(0, 


l+m^Cfc 


)■ 


^^ l + (l+t«fc)cfc 

We notice that due to the^rthogonality principle of the 
MMSE estimation, we have E[||hfe||efc] = 0. Thus, we have 
EM = iE[|||h,||+e,p] = iE[||hfc|p] + iE[|efcn. 
Since both and follow the complex Gaussian dis¬ 
tribution, we have E[||hfc|p] = 2 {i+{i+wl)ck} E[-^2m] and 

E[|efep] = 2 {i+a+^ 4 )c,} ^^['^ 2 ]’ '^here is a chi-square 
random variable with m degrees of freedom whose first 
order moment is E[A’y] = m. Thus, we have E[| 5 j;p] = 

Ck J _ 1+w^Ck _ Mck+w1ck + l from 

l+(l+w'f,)ck M{l+(l+w'f,)ck} M{l+(l+w'^)ck} ■ ’ 

we finally have 


SINRi. = 


Mck 


■wlck 


(1 -I- (1 -I- wl)ck){K - 1 -f 


We omit the derivation of SINR^ since we can derive SINR^ 
in the same manner. 


Appendix C 


Let us first find the asymptotic behavior of f{gk\Ck',w). 
In Appendix]^ we have f{gk\Ck;w) ~ CAf It is 
obvious that fimM->oo = 0, while the limiting value of 
fig^ is given by 


lim 

M—^OO 


9‘gk 


1 - Cfe 

lim _ 

M—yoo ]\/f 


yj^k 1 

1 -f (1 + J 


lim _ 

M-foo yjM 



1 

1 + (1 + Wfc)Cfe / 


(a) 


C/c 


1 -I- (1 -f Wfc)Cfe ’ 


(37) 


where y^m is the m-th component of y^, and (a) is from the 
law of large numbers that, as M goes to infinity, the sample 
variance of random variable converges to its true variance. 
Therefore, for a given Cfe, g^ —>■ in probability as M —>■ oo. 

Then, the asymptotic behavior of f{gk',Wk) for a large M is 


given by 


lim f{gk-,Wk) 

M^oo 


= lim / f{gk\Ck;wk)f{Ck]Wk)dCk 

M—>-oo J 


(a) 


lim f{gk\Ck;wk)f{Ck;wk)dC,k 

M—>-oo 


(6) j Cfc 

= A /;-- 9 ^— in probability, 

yi + ii + wDck 

where (a) is due to the Lebesgue dominated convergence 
theorem, and (6) is from (|J7ll. 


Appendix D 

In this Appendix, we derive various pdfs used in this papeij^ 


A. pdfs of f{gk\Ck;wk) and f{gt\Ck;'Wk) 

We first derive the pdf of /(pfelCfe! "uifc)- To obtain 
f{9k\Ck',Wk), we first derive /(hfe|yfe;wfe) using the Baye’s 
theorem, which is given by 

f{yk;wk) 

where, from we have /(yfe|hfc;uife) - 

CA/'(ycfehfe, (1-f iu^Cfc)lM), /(hfe) ~ CA/'(0 m,Im), 

and f{yk]Wk) ~ CA/'(0m, (l + Cfe-f w^Cfe) Im)- After 

some manipulations, we can derive the conditional pdf of 
/(hfe|yfe;'u;fe) from @ as follows: 


fihk\yk;wk) -- CAf 


V^Cfc 


1 + wlck 

1 I I '2 y ^ ’ 1 I I 2 

1 + Cfc + W^Ck 1 + Cfc + wf.Ck 


LM 


Note that gk = h^ak/VM is the sum of scaled Gaussian 
random variables for a given yk since afc becomes constant 
for a given yfe. Then, we have f{gk\yk-,Wk)^ CN{gg ^, tTgJ, 
where 

„ = Ilyfcll , . 2 ^ 1 + wjck 

1 -f Cfe -f wlck ^/M (1 + Cfe -I- wlck)M' 

Einally, / (fffel ||yfe||; Wfe) is derived from /(gfe|yfe;wfc) as 
follows: 


fi9k\yk]Wk) = figkWk, Ilyfell ;wfe) 

-V(5fel lly/c|| ;tcfc), 

where (a) is due to the fact that pg^ and are in¬ 
dependent of yfe for a given ||yfe|j. In the same manner, 
we have /( 5 fclCfc;^Cfe) - CA/'(/Xg., cr^e), where /Tg. = 
__ Cfc anH rr^ = __ 

{l+Ck+w'ick)M y/M {l-\-Ck+w1ck)M' 


^Throughout this paper, we do not include all details of the derivation if it 
involves simple calculations. 
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B. pdf of f{gl\gkXk]Wk) 

We first derive the joint pdf of /(h^, h^, y^; Wk)- From the 
Baye’s theorem, we have 


/(hfc,hfc,yfc;wfe) = f{h.u,Yk\K'^wu)f{hl), 


where 


f{h.k,yk\K\Wk) 

and /(h|) ~ CA/'(Om, Im)- 

Then, the conditional distribution of h| given and y^, 
/(h||hfc,y^; Wfc), becomes also the multivariate normal dis¬ 
tribution that can be directly obtained from /(h|, h^, y^; Wfc) 
1^ . After some manipulations, we have /(h^jhfe,y^;rufc) ~ 
CA/'(pt, S), where p, = {vk - y/ck^k) and S = 

, ^ 2 —Im- Then, since qt = ^ve can derive 

i+wf.Ck ^k 

f{gl\h.k,yk\Wk) from the transformation of the random vec¬ 
tor as follows: 

/(Sfe|hfc,yfc;wfc) 

^ (l+^fe ~ ’ {l + wlck)M) ■ 

Note that, by substituting @ into Q, we have , which 

provides f{gl\h.k,yk\Wk) = f {gl\^k,^k,ykXk]Wk) = 
f {gl\\ik,s^k,gk,ykXk\Wk)- Then, we finally have 
/(5fc|hfe,yfc;wfc) = f{gl\gk,Ck]Wk) since /( 5 £|hfc,yfc;u;fc) 
is characterized by gk and t^k- 


Appendix E 


The MMSE estimator for gk is given by gk = 

E [pfc|rfc,qfc,Cfc; Wfe] = J gkf {gk\rk,c[k,Ck;wk)dgk. Thus, 

the mean value of f {gk\rk,q.k, Ck',Wk), denoted by pg^, 
is the MMSE estimator for gk- The distribution of 
/ {gk\rk, <ik, CklWk) can be derived as follow: 


/(5/c|rfe,qfc,Cfe;w^fc) 

_ /(gfc,r/c|qfc,Cfc;wfc) 
f {rk\(ik,Ck-,Wk) 

^ /(r/c|gfc,qfc;wfc)/(gfclCfc;wfc) 

/ f {rk\gk,tik;wk) f {gk\Ck',Wk)dgk' 

The pdf of f {gk\Ck',Wk) in ( |39| ) is derived in Appendix [P] 
while the pdf of / q^; wj.) can be obtained from (0, 

which is given by / (r^lpfe, q^; Wfc) ~ CAf {gk<lk,crljNa) ■ 
Then, after some manipulations, we finally have the pdf of 
f {gk\rk,(lk,Ck]Wk) CAf{pg^,alJ, where 




(iWk + alJa^^ 


a 


2 

rik 


a 


2 

9k 




+ a 


2 

rik 


Thus, the MMSE estimator for gk is given by gk = 




. In the same manner, we can derive the pdf 


of f {gt:\Yk,qk,Ck;wk) CJV{pgg,apj, where 

Ma.= “"-1 f + <>■../< j 

l + W^Ck\y/ckM qtq^ +cr2^/cr2^ J 

cr?e = f f '^kCk \ ^ ^Ik^lk 

®'= (l-l-w^Cfc)M \l + wlck) (T2^qf qfc-I-0-2^ 
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